GDPR is now just around the corner. We look at what impact it will have on your SME and how you should prepare.

Does May 25th, 2018 ring a bell? For anyone running an SME (or any other business), it should do. It’s the date when the EU’s General Data Protection Regulation (GDPR) will come into effect in the UK. The legislation is a radical overhaul of the existing EU data protection, now in its 23rd year and well past its sell-by date.  The GDPR is designed to improve data security and give EU citizens far greater control over their data.

In the UK, many SME owners haven’t exactly been scrambling to get ready. Just a few weeks ago, a survey revealed that 39% of SMEs hadn’t even started their preparations. Some believed Brexit would exempt UK businesses, or that GDPR only applied to huge corporations — neither of which is true. For many, however, GDPR has probably just migrated itself down to the bottom of an endless to-do list.

So, if your SME is currently in the ‘unprepared’ camp, we’ve got good news and bad news.

Bad news first: there’s no getting round it, you really do have to prepare. Apart from sound ethical reasons for following the GDPR, the legislation comes equipped with some very large teeth. If you’re not compliant, you could face a fine of up to either 4% of your annual turnover or €20 million, whichever is the greater. Don’t think that the small scale of your business will save you — the GDPR applies from the largest concern to the tiniest. There have been some reports that fines may be lower for SMEs, but we wouldn’t want to test that.

There is good news, however. It’s late, but there’s still time to prepare and oodles of help available.

With all that in mind, let’s take a look at how you can get going with GDPR compliance.

First steps in tackling GDPR

There’s no shortage of information out there on GDPR, but when you’re starting out you might as well go directly to the source. The Information Commissioners Office (ICO)’s website is full of useful resources. In particular, they’ve produced a 12-point plan that gives a great overview on how to prepare. Although a summary document, it contains links to the further documentation you’ll need to tackle the nitty-gritty.

However, processing the ICO’s  information does take time. Unfortunately, for the typical SME owner, that’s something that’s in short supply. If that’s the case, you might consider signing up for one of the many GDPR webinars and seminars that have sprung up. Of course, you’ll have to pay, but the savings in time (and stress!) may be worth it.

Whichever route you take, once you’ve got some understanding of the GDPR’s provisions, the next step will undoubtedly be an audit. This will assess your current situation and identify the areas in which you need to take action. Again, if you simply don’t have the time, there are companies who will undertake this for you.

When you complete the audit, you might be in for a pleasant surprise. If you’ve implemented the Data Protection Act, and already adopted best practice, then GDPR may not be too challenging.

Four pointers for SMEs

As noted above, it’s your responsibility to fully engage with the GDPR, and your key source has to be the ICO’s website. However, based on our own experience of working with SMEs, here are four key procedures to put in place.

1. Designate someone in charge of data protection

Some SMEs will need to formally appoint a Data Protection Officer. However, as this article helpfully points out, that’s not mandatory for all organisations. But at the least, you will need to designate someone with overall responsibility for data protection. No formal qualifications are needed for this, you just have to be familiar with the company’s data practices and the requirements of the GDPR. For the smallest companies, the designated person will probably be the owner.

2. Have a mechanism in place to report data breaches

Under the GDPR, all organisations have a duty to report a breach of security if ‘it is likely to result in a risk to the rights and freedoms of individuals.’ Examples include breaches that could potentially lead to ‘discrimination, damage to reputation, financial loss, loss of confidentiality.’  If the risk of any of the above happening is high, you may need to notify the individuals concerned too.
All this needs to be done promptly, otherwise you could face a double whammy of being fined for the breach, and for failing to report it. You’ll therefore need a robust reporting system in place. For example, what will you do if a breach occurs when your data protection person is on holiday? You’ll also need to think about how you’d detect a breach too.

3. Review any consent arrangements in your marketing.

Consent is a big deal in the new legislation, and you’ll need to look carefully at how this is dealt with in your marketing.  Tick-boxes are a good example, as they are specifically mentioned  in the guidelines.
Under the old regulations, it was fine to present potential customers with a box labelled, ‘I do not wish to receive updates and special offers.’ Note that this requires the reader to actively do something (i.e. tick the box) to opt out. The GDPR makes this ‘presumption of consent’ illegal. They must do something to opt in. Companies have also assumed consent by providing pre-ticked boxes. An example might be, ‘Yes, please send me offers that may be of interest to me!’ The GDPR also makes these illegal.
You’ll also need to ensure that it’s straightforward for your contacts to withdraw their consent.

4. Think how you will deal with individuals’ right to data.

As things stand, individuals have limited rights to the data that companies hold on them. However, this will be changing in May. The GDPR gives individuals a slew of new rights regarding their data. A customer can, for example, request access to what data is stored on them, ask to have it amended or erased completely, or sent to another company. How would your business cope with multiple requests like these? If you’re not even sure what data you hold on individuals, or if it’s scattered between different databases, that audit we mentioned becomes crucial.

How much impact on your business?

Whether the GDPR has a major impact on your business will depend on several factors. One is how you’ve treated data so far. As we pointed out above, companies that have worked hard at protecting data will have considerably less to do. The second is the type (and scale) of your operations: obviously, the GDPR will hit businesses with lots of direct marketing and interaction with prospects harder. But if you can’t change the past and you can’t change your sector, you can at least do something about the third factor: how much planning you’ve done. If the steps towards GDPR are taken systematically, and in plenty of time, the disruption needn’t be huge.


MV Marketing specialise in helping SMEs with a wide range of marketing activities. For flexible marketing solutions that don’t cost the Earth, please contact us today.